A $4.35 million settlement has been proposed for a class-action lawsuit against Excellus BlueCross BlueShield for a 2015 data breach. Pictured: The Excellus Blue Cross Blue Shield corporate headquarters is seen in Rochester, N.Y. (DanielPenfield, CC BY-SA 3.0 https://creativecommons.org/licenses/by-sa/3.0, via Wikimedia Commons)

A proposed settlement has been reached in a class-action data breach lawsuit against Excellus Health Plan, affiliate companies, and Blue Cross Blue Shield Association, which would result in millions of dollars in injunctive relief and require the insurer to make numerous improvements to its security program.

The class-action lawsuit involves 14 proposed cases that call into question Excellus’ security program, as well as delays with its notification and communication gaps to fully explain risks the incident posed to plan members.

The settlement stems from a 2015 breach that impacted 10.5 million people, which Excellus did not discover until 18 months after the malware and hacking incident began.

An attacker gained access to the health plan’s network in December 2013 and installed malware to conduct reconnaissance. The long-term hack enabled the threat actor to access the protected health information of 7 million patients with ties to Excellus and about 2.5 million members of its non-BlueCross subsidiary, Lifetime Healthcare.

The exposed data included Social Security numbers, member identification numbers, financial account information, and claims data. It remains one of the largest healthcare security incidents not caused by a vendor, and at the time, it was the third-largest healthcare data breach ever recorded.

The proposed settlement follows a $5.1 million civil monetary penalty enforced by the Office for Civil Rights for the Department of Health and Human Services one year ago. 

OCR found five potential violations of The Health Insurance Portability and Accountability Act, including failure to conduct an accurate risk analysis of system vulnerabilities, failure to implement HIPAA-required security measures that could have reduced the network risks to an appropriate level, and failure to implement adequate ePHI security policies and procedures.

According to the lawsuit settlement, the lengthy litigation and 1.5 million documents of evidence found similar security gaps. As part of the agreement, Excellus, its subsidiaries, and BCBSA deny any wrongdoing, and the court has not made a determination of guilt.

The settlement includes “millions of dollars in tangible benefits” and establishes requirements for Excellus to implement to remediate “current and historical security deficiencies, as well as data retention” and requires the insurer to remedy the alleged security control deficiencies outlined in the lawsuit.

Interestingly, the proposed $4.35 million will be directed to “attorneys’ fees, reasonable costs and expenses of all cases comprising the litigation,” as well as service awards for the “class representative plaintiffs.” The settlement does not appear to direct funds to the pool of breach victims.

“In exchange for these business practice changes and information exchanges, class members will release all claims for injunctive and declaratory relief they may have against Excellus defendants and BCBSA — but will not release claims for monetary damages,” according to the press release.

In fairness, the proposal shows counsel has spent about 16,054 hours litigating the case “and have accrued a lodestar of approximately $8,314,828.65.”

Improvements to Excellus security controls, budgets part of settlement

Excellus also committed to a substantial increase in its information security budget “over its pre-lawsuit spend for the next three fiscal years” and “committed to spending the entire amount budgeted on information security, which it did not always do historically.”

“After years of litigation, taking numerous depositions, and reviewing more than 1,510,000 of pages of documents, [plaintiffs] are extremely familiar with Excellus’s [sic] information security strengths and weaknesses,” according to the settlement.

Over the course of the last few years, the insurer has already made significant improvements to its security controls. However, some of the improvements “remain insufficient,” including “phasing out insecure encryption algorithms and implementing challenging technical fixes to alleged security flaws in key data resources.”

The settlement also requires the insurer to bolster its overall network security, particularly around its tools, processes, and systems for detecting suspicious activity, user authentication, and incident containment and response.

Further, the lawsuit argues that Excellus continues to retain more historical data on plan members than required. The settlement requires the insurer to develop a plan for ensuring records containing PHI and personally identifiable information are disposed of within a year.

The proposed settlement also shows that Excellus has already started an extensive data archiving program and agreed to share those results with the breach victims’ representation. 

Excellus has already started to implement zero trust controls. By the end of the year, the insurer must provide counsel with evidence of compliance related to blistering its information security.

The final approval hearing for the proposed settlement is slated for April 13, 2022.

Correction: An earlier version of this story included a photograph of the headquarters of a health company that is not affiliated with Excellus Blue Cross Blue Shield, nor involved in the litigation discussed in this story. The photo has been updated.